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Abstract —State estimation is routinely being performed in 
high-voltage power transmission grids in order to assist in 
operation and to detect faulty equipment. In low- and medium- 
voltage power distribution grids, on the other hand, few real¬ 
time measurements are traditionally available, and operation is 
often conducted based on predicted and historical data. Today, 
in many parts of the world, smart meters have been deployed at 
many customers, and their measurements could in principle be 
shared with the operators in real time to enable improved state 
estimation. However, customers may feel reluctance in doing so 
due to privacy concerns. We therefore propose state estimation 
schemes for a distribution grid model, which ensure differential 
privacy to the customers. In particular, the state estimation 
schemes optimize different performance criteria, and a trade-off 
between a lower bound on the estimation performance versus 
the customers’ differential privacy is derived. The proposed 
framework is general enough to be applicable also to other 
distribution networks, such as water and gas networks. 

I. Introduction 

State estimation has long been an essential component of 
electric power system monitoring and control systems [1], In 
transmission systems it is typically based on near-real time 
measurements of voltages, power flows, and more recently, 
voltage phasors. In low- and medium-voltage distribution 
systems it is, however, often based on predicted loads 
in lack of a dedicated communication infrastructure and 
measurement devices [2], [3]. Due to the proliferation of 
volatile distributed renewable generation ( e.g residential PV 
systems), predicted loads will soon no longer be sufficient 
to achieve a good enough state estimate that would allow 
efficient and safe operation of the distribution grid, e.g., volt¬ 
age conservation and VAR control (VVC), or fault location, 
isolation and restoration (FLIR), and real-time measurements 
will therefore become necessary. 

While a dedicated real-time monitoring infrastructure for 
distribution grids may be too expensive, automated and smart 
meters, which are being deployed world-wide for billing 
purposes, could be used for providing the operators frequent 
measurements of the loads, thereby enabling dynamic state 
estimation. Nonetheless, collecting frequent measurement 
data about residential or industrial customers’ loads can be 
used to invade the customers’ privacy in a variety of ways [4]. 

To protect customers’ privacy but at the same time allow 
frequent smart meter measurements for system operation. 
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a number of privacy-preserving aggregation schemes have 
been proposed recently [5], [6], [7]. Aggregation can be 
done via a trusted third party [5] or by using cryptographic 
solutions such as homomorphic encryption [6], but these 
solutions increase system complexity significantly. An al¬ 
ternative aggregation scheme that does not increase system 
complexity relies on adding random noise, typically Gaussian 
or Laplacian, to the measurement data submitted by the cus¬ 
tomers. Combined with careful protocol design, aggregation 
with random noise has been shown to provide differential 
privacy [7], a probabilistic notion of privacy that is widely 
used in statistical databases [8], [9] and has recently found 
application in filtering and control [10], [11]. While adding 
noise may help preserve privacy, a fundamental question 
is how it would affect the quality of state estimation, and 
ultimately the power system applications that rely on it. 

In this paper, we address this question by providing a 
characterization of the trade-off between differential privacy 
and the mean distortion of the state estimate in a single 
feeder of a distribution network based on load measurements 
from smart meters. We characterize the e- and the (e, 6)- 
differential privacy under Laplacian and Gaussian additive 
random noise, respectively. We express the maximum a pos¬ 
teriori state estimate as the solution of a convex programming 
problem, and provide a closed-form expression for the linear 
minimum mean square error estimate. We show that a 
customer by adding random noise may only have to give 
up a little bit extra of privacy, and can still dramatically 
improve the state estimation performance, which could en¬ 
able optimizing financial incentives for trading estimation 
performance and customer privacy. 

The trade-off between privacy and estimation quality has 
been considered for inter-area state estimation in [12], where 
the trade-off between the mutual information and the ex¬ 
pected distortion was investigated in an information-theoretic 
framework. The authors in [13] studied the trade-off between 
the distortion of the estimate of a random variable modeling 
an electric load and the information leakage quantified by 
the mutual information. Instead of mutual information, in this 
paper we use differential privacy, which allows us to evaluate 
privacy when different users’ data are non-stationary, and 
even without a statistical model of the data. In [10], the 
authors study the differential privacy of the inputs to a 
dynamical system when releasing the outputs to a potential 
adversary, and design a differentially private Kalman filter 
that protects the input variables. In this paper, the setup is 
somewhat similar but we do not consider a dynamical system 
and we do analyze the case when the filter has access to side 
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Fig. 1. The considered distribution line. The grid operator can only directly 
measure the current Iq at the substation. We analyze how the operator 
can benefit in the state estimation from communicated measurements of 
the loads Li, L 2 ,.. •, Ljy, while maintaining individual customers’ privacy 
(customer denoted by C ). 


information, beyond the control of the inputs. In [11], the 
authors evaluate the cost of differential privacy in a system of 
agents that try to estimate their environment in a distributed 
manner. In our work, the estimation is done by a central 
entity instead of the agents themselves. 

The rest of the paper is organized as follows. Section QI] 
describes our model and the problem formulation. Section Hill 
defines differential privacy in the context of state estimation. 
Section m provides optimal state estimation algorithms 
under various assumptions and bounds on their accuracy. 
Section m analyzes the trade-off between privacy and es¬ 
timation error, and Section [VI] concludes the paper. 

II. Modeling and Problem Formulation 

Operators of low- and medium-voltage power distribution 
networks today typically only have access to a relatively 
small number of real-time measurements [2], [3]. It is then 
not possible to run standard state estimation algorithms as 
is commonly used in high-voltage transmission grids [1]. In 
this work, we therefore analyze how low-level measurements 
of the customers’ loads can be integrated in state estimation 
schemes, while ensuring the customers’ privacy. 

We consider a single distribution line that is connected to a 
substation under the control of an operator, see Fig. [7] Since 
distribution grids are typically radial, this is not a severe 
restriction. There are N service drops or laterals along the 
line; at each service drop location j along the line, there 
are several loads connected in parallel, which draw a total 
load current L ? . We will here investigate the “value” of a 
measurement of Lj to the operator. Such a measurement 
could be realized in a modern distribution power grid by 
using individual customers’ smart meters. For example, the 
individual customers at location j could aggregate their 
measurements and send them directly to the operator, in 
real time. However, for privacy reasons, it may not be 
desirable for an individual customer to share its instantaneous 
load. We denote such a customer by C in Fig. [Q and 
will next investigate how the customer can contribute with 
measurements and still maintain a quantifiable amount of 
privacy. 

Remark 1: It is not necessary to have a trusted agent at 
location j to perform the aggregation of the measured load 
currents, to form the measurement of Lj. In [7], it is shown 
how such computations can be securely decentralized among 
the customers. 


1) Modeling: In what we call the Base Scenario, the 
operator has only access to a real-time measurement Z {) 
of the total current flow Io that is being supplied from the 
substation, 

Z 0 = I 0 + Wo, (1) 


where Wo ~ Af( 0 . Rq) is zero-mean Gaussian measurement 
noise, of variance Rq = (Tg (cto is the standard deviation). In 
the Base Scenario, we also assume the operator has access 
to a statistical model of the loads Li, L 2 , ■.., L ,v along the 
line. In the power systems literature, sometimes such data 
are referred to as pseudo measurements. The load vector L 
is assumed to have a multivariate Gaussian distribution, L ~ 
Af(m, P), with mean and covariance denoted by 
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The Gaussian distribution of the loads can be justified if 
we assume each load Lj is an aggregate of a multitude 
of individual customers as indicated already in Fig. Q] 
The operator could estimate this statistical model based on 
historical load data. The following notation will also be used. 
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where 1 is column vector of ones. 

In this paper, the sole physical model used is based on the 
conservation of currents, i.e., 


Ij=Y J L k, j = 0,l,...,N, (2) 

k>j 


where lj are the (unknown) currents along the line. It is clear 
that the operator may benefit from a more detailed physical 
model in the state estimation to follow, but we leave this 
option for future work. 

Remark 2: Note that flow conservation models similar to 
© apply to other distribution networks, such as gas and 
water networks, where mass is a conserved quantity. Hence, 
the results that follow are applicable also in these scenarios. 

Based on the model ©, it follows that the total current Iq 
has a Gaussian distribution, Iq ~ AT (mo, Pq + Rq), where 

m 0 := mi + m 2 + ... + mjv, Po '■= l 1 PI. 


In what we call the Smart Meter Scenario, the operator 
is also provided real-time measurements Zj of the loads 

L\, L2 ,..., Ln, 


Zj = Lj + Wj , j = 1,2,...,N, (3) 

where Wj ~ Lap(p) are independent zero-mean random 
noise variables with Laplacian distributions of variance R. :j = 














2b 2 . (The probability density function (PDF) of a zero-mean 
Laplacian random variable W is pw(w) = ^e~^ w ^ b .) The 
reason for the Laplacian noise assumption will become clear 
in Section Hill 

2) Problem Formulation: Based on the measurement Z (l 
and the statistical model of L, it is possible for the operator 
in the Base Scenario to estimate the loads L\, L%,..., Ln 
and currents Ji, J2,..., In-i along the line, see Section ITVl 
With such estimates, one can monitor the status of the 
line and detect faults in real time. However, when the load 
uncertainty is large (the covariance P is large), the quality 
of this estimate is low. 

The main problem considered in this paper is how to 
integrate the load measurements Z\, Z 2 ,. ■ ■, Z^ in the state 
estimation in the Smart Meter Scenario, and to quantify the 
improvement of the estimate and the loss of privacy that the 
customers experience. 

III. Differential Privacy for the Distribution 
Line Loads 

In this section, the goal is to quantify the loss of pri¬ 
vacy that the customers along the distribution line expe¬ 
rience through the introduction of the load measurements 

Z 0 , Z 1 ,..., Zn. 

A. Differential Privacy 

To quantify the level of privacy enjoyed by the customers 
along the line, we employ the notion of differential privacy, 
see [8], [9], [10], [11], for example. We first need to introduce 
some concepts: Suppose that data from m customers are 
stored in a vector d £ M m . We call the vector d a data 
vector. We say two data vectors d, d' £ K m are adjacent, 
Adj(d, d'), if and only if they differ in one entry: 

for some k , dk d' k , and di = d[ for all l ^ k. 

A concrete example is that one customer turns off his 
smart meter and does not participate in the data collection, 
transforming d into d!. We also note that Adj(-,-) is a 
symmetric binary relation. 

We say a measurement Mf,W) : M m —> M, where W 
is a random variable, is ( e, 5)-differentially private if for all 
adjacent data vectors d, d' £ R m , and possible events E C 
Supp (M(d, W)) U Supp(M(d / , W)), it holds 

Pr[M(d, W)£E\< e e Pr [M(d', W)£E] + S. (4) 

If e > 0 and 6 > 0 are small, this means that the changes 
in the statistics of the output of M are very small when 
applied to any adjacent data vectors. Put differently, with 
access to only the output of M, it is practically impossible 
to decide whether a single customer has participated in 
the measurement, or not, and (e, 6) provides a quantitative 
certificate of privacy to the customer. If © holds with <5 = 0, 
we say M is e-differentially private. More details on the 
interpretation of differential privacy can be found in [8], [9], 
[10], [11], for example. 


To design (e, S) -differentially private measurements M, 
we use Theorems 2 and 3 in [10]. First, we suppose the 
measurements can be written in the general form 

M{d , W) = q(d) + W, 

where q : R m — > R is a deterministic query that depends on 
the data vector only. Next, define the sensitivity of a query 
q by 

S(q):= sup \q{d) - q(d')\. 

d,d':Adj(d,d') 

That is, S(q) measures the worst-case change in output of 
q(d) over adjacent data vectors d. The following proposition 
then holds. 

Proposition 1 ([10]): The measurement M(d,W) = 
q(d) + W is: 

(a) e-differentially private if the random variable W has a 
Laplace distribution, W ~ Lap(6), with zero mean and 
scale parameter b > 

(b) (e, <5)-differentially private if the random variable W 

has a Gaussian distribution, W ~ Af(0,a 2 ), with 
zero mean and standard deviation a > + 

ffK 2 + 2e), where K := K{5) = and Q(x) := 

^Ce~ u2/ *du. 

Hence, by either adding Laplacian noise or Gaussian noise 
to a query we obtain differential privacy. Note that Laplacian 
noise yields better privacy (5 = 0) because its PDF has fatter 
tails. Thus if customers can choose to add noise, Laplacian 
noise is the natural selection and justifies the model ([3}. 
The noise in £Q is modeled as being Gaussian, because 
we assume it arises in the physical meter owned by the 
operator. There is of course also similar physical noise in the 
customers’ smart meters, but for simplicity we assume this 
is negligible. In any case, introducing more noise sources 
in the customers’ measurements would only increase their 
privacy. 

B. Privacy in the Base Scenario 

By providing measurements of the loads Lj, it is clear 
that the customers will loose some privacy. However, the 
operator can already measure the total current / () by means 
of ®- beyond the control of the customers. We should 
first therefore evaluate the loss of privacy through this 
measurement. Because Z {) is subjected to Gaussian noise, 
we use Proposition 0(b). 

The query in this case is the total current, qo = h + 
I 2 + ■ ■ ■ + In, where Zi, I 2 , ■ ■ ■, In are realizations of the 
random variables L\, L 2 , ■ ■ ■, L.v. An adjacent load pattern 
is obtained if a single customer C at an arbitrary location j 
changes his or her load, so that the load goes from lj to /'. If 
we assume a (uniform) bound on the difference between the 
maximum and minimum load current of a single customer 
is A, it easily follows that the sensitivity of go is 

S(qo) = A. 

The differential privacy in the Base Scenario is stated next. 



Lemma 1: The measurement Zq gives (eo, (^-differential 
privacy to the customers, where 



and K = K(5 0 ) = Q~ 1 (S 0 ). 

Proof: Follows by a Taylor expansion of the standard 
deviation formula in Proposition Q}(b). ■ 

A typical choice of i5o is 0.05, which gives K « 1.64, or 
<5o = 0.01, which gives K « 2.33. We note that the 0(-)- 
term in Lemma |T] can be neglected if the customer size A 
is small as compared to I\, and then eo ~ AK/cfq. 

Remark 3: Note that differential privacy is independent of 
the underlying probability distribution of the load pattern L 
(the data). Hence, no matter if it is really Gaussian, or not, 
the level of privacy is guaranteed. The statistical model of 
the data is needed for reliable state estimation, however. 

C. Privacy in the Smart Meter Scenario 

In the Smart Meter Scenario, the customers provide the 
measurements Zj, j = 1,2, ...,7V to the operator, which 
causes a loss of privacy compared to the Base Scenario. In 
this case, the queries are of the type qj = lj, where f is 
a realization of Lj. Under the same assumptions as in the 
previous subsection, we have that 

S(qj) = A, j = 1,2,. ..,1V, 

where A is the uniform bound on a single customer’s 
maximum load current change. 

Remark 4: Note that the measurement Zj sent to the 
operator is the sum (aggregate) of all the customers’ load 
currents at location j, plus the chosen Laplacian noise. 
We assume that A is a bound that works for every single 
customer at location j. 

By Proposition |T}(a), it is clear that the measurement Zj 
gives e-differential privacy to every single customer, where 
e = A/bj. Hence, by choosing the scaling parameter h ;i for 
the Laplacian noise properly, the customers can tune the level 
of privacy. However, there is also a loss of privacy through 
Zq, and for the composite measurement (Zq, Zf) we have 
the following result. 

Theorem 1: The composite measurement (Zq. Zj) gives 
a customer at location j a (eo + e, (5oe c )-differential pri¬ 
vacy, when Z 0 is (e 0 ,^-differentially private and Zj is e- 
differentially private. 

Proof: By definition of differential privacy, we have 

that 

Pr [Zq £ Eq\ Lj = lj] < e e ° Pr[Z 0 £ -Bo I Lj = lj] + <5o 
Pr [Zj e E 3 \L 3 = lj] < e e Pt[Zj £ Ej\Lj = ('], 

for all events Eq and E :) and adjacent loads \h - l'i I < 
A. Multiplying the two inequalities, and using that the 
measurements are independent, we obtain 

Pt[Z 0 6 B 0 , Zj £ Ej\Lj = lj] 

< e eo+£ Pr [Z 0 £ E 0 , Zj £ EfLj = /'•] + S 0 ef 


which yields the result. ■ 

That there is not a dramatic loss of privacy under compo¬ 
sitions of differentially private measurements is in fact one 
of the main advantages of differential privacy, see [9] for a 
more general treatment. 

IV. State Estimation of the Distribution Line 

In this section, we present algorithms for computing 
(optimal) state estimates, and we bound their accuracies. To 
simplify the presentation, we here only consider the estimates 
of an arbitrary load Lj, and not currents lj. Because of the 
linear relation (0, it should be clear how to obtain estimates 
of the currents from the load estimates. 

A. Optimal State Estimation in the Base Scenario 

In the Base Scenario, the operator has only access to 
the measurement Zq and the statistical model of the loads 
L. Since these have a multivariate Gaussian distribution, 
the optimal state estimate (minimum mean square error 
(MMSE) estimate) is given by the conditional mean of Lj 
[14, Example 3.4], 

L° j :=E[L j \Zo]=m j + j^-(Z 0 -m 0 ), (5) 

where Pj = Pji + ... + Pjj + ... + PjN- The variance of 
the estimation error is 

Q°j “ E l(L°j - Lj) 2 ] = P 3j - , (6) 

and provides a baseline accuracy indicator for state estima¬ 
tion. It is clear that if the variance of the load Lj (Pjj) 
is small in comparison to the variance of the measurement 
Zq, the operator gains very little information through this 
measurement. 


B. MAP State Estimation with Smart Meters 


When the load model and the measurements all have a 
jointly Gaussian distribution, the MMSE estimate and the 
maximum a posteriori probability (MAP) estimate (see [15], 
for example) coincide, and are equal to E[L 3 \Zq]. In the 
Smart Meter Scenario, the random noise W\, W 2 ,..., Wn 
follow a Laplacian distribution, and therefore this is no 
longer the case, in general. It is well known [14, The¬ 
orem 3.1] that the MMSE estimate is still given by the 
conditional mean L* := E[Lj\Zo, Z\, ..., Zm], but a simple 
closed-form expression for L* similar to 0 is in this case 
not known to us. The MAP estimate also does not have a 
simple closed-form solution, but it is possible to compute it 
online by means of a simple convex program, as we show 
next. 

The PDF for the load vector L takes the form 

p L (l) = 

VdetP 

and the conditional PDF for the measurements are 


Pz 0 ,z\l(zq, z\l) 
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where Z := (Zi, Z 2 ,..., Zn) t and Iq := 1 T l. Given the 
received measurements zq and z, the MAP estimate of Lj 
can be obtained as 

L map (z 0 ,z) := argmaxpz\ L (z 0 , z\l)p L (l). (7) 

The following proposition states an alternative, and more 
explicit form of the estimate. 

Proposition 2: The MAP estimate of L given the mea¬ 
surements Zq, Z is 

L map (z 0 , z) = argmin 

+ l -\\p-'/\l^rn)\\l+ l -\\z-l\\ 1 . 


It should be clear that the accuracy is not as good as the 
MMSE estimate L *, in general, since we have only optimized 
over the linear estimators. 

To get an even simpler closed-form expression, an 
LMMSE estimate based on only a few of the measurements 
is constructed. 

Proposition 4: The LMMSE estimate of Lj given the 
measurements Zq. Zj is 


L°’ j 


V hn [L 3 \Z 0l Z 3 ] 

° ' ^ (Zj — rnrij) — 


= l" + k 3 


Ro + Po 


(Z 0 - mo) 


where Lj is the Base Scenario MMSE estimate (0, and 


Proof: Follows by a straightforward insertion of the 
PDFs into 0. ■ 

The optimization problem in Proposition [2] is convex since 
the objective is a sum of 1-norm and 2-norm expressions. 
Hence, it can easily be solved using standard optimization 
software. Although this result is useful for an implementation 
of the state estimator, we are not aware of an accuracy 
indicator similar to Q°. Because of this, we next turn to 
an optimal linear estimator, where we can characterize the 
accuracy in general. 

Remark 5: Recently [16] investigated dynamical state es¬ 
timation problems where the noise was a mix of Gaussian 
and Laplacian random variables. Although the motivation for 
that work was not related to privacy, it seems the results 
obtained there have implications for privacy as well. 

C. LMMSE State Estimation with Smart Meters 

For arbitrarily distributed measurements, it turns out that if 
we limit ourselves to only linear estimators when minimizing 
the mean square error (the LMMSE), we obtain simple 
closed-form expressions. We will use the following result. 

Proposition 3 (Theorem 2.1 [14]): Let the random vari¬ 
able (X , Z) have mean ( m x , rn z ) and covariance [ §** ]. 

Then the LMMSE estimate is given by 

E lin [X| Z] := m x + E,,E ~l(Z - m z ), 

with estimation error covariance Y, xx — E^.-E j. 1 L zx . 

In the Smart Meter Scenario, using Proposition [3] one 
easily obtains the LMMSE estimate of Lj given all the 
measurements as 

L°j N := V hn [L 3 \Z 0 ,Z] 
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where P : j is the y-th column of the covariance matrix P. 
The accuracy of the LMMSE estimate is 

Q? n :=E l(L 3 -Lf N ) 2 ] 
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The accuracy of L?-’ 0 is 


(9) 


Q° J ■■= E [(Lj - L°f j ) 2 ] = Q°j( 1 - Kj) < Q°, (10) 

where (/) is the accuracy of the Base Scenario MMSE esti¬ 
mate 0. 

Proof: Applying the Schur complement formula to the 
inverse covariance matrix in the LMMSE estimate 


L°f j ■= E lin [ Lj\Z 0l Zj ] 


'Pi 

T 

Pq + Ro 

Pj 

-1 

Z 0 - m 0 

P 33 . 


Pj 

Pjj + Rj. 


Zj - mj _ 


yields the desired expression. After some manipulations 
of ® applied to only the measurements Zq and Zj, the 
expression in {[0| is obtained. ■ 

It is seen from Proposition [4] that the variable Kj can both 
be seen as the gain one should use to fuse in the additional 
measurement Z 3 to the estimate of Lj, and as a measure of 
the relative improvement in the estimate as compared to the 

Base Scenario, i.e., Kj = 3 O o 3 ■ 

The relation between the accuracies of the different esti¬ 
mators is summarized next. 

Corollary 1: For j = 1,2,..., TV, it holds that 


Qj < Qf N < Q°j’ j < Q]r 

where Q* := E [(Lj — L *) 2 ] and L* is the MMSE estimate 
given measurements Z 0 ,Z. 

The reason we are interested in Lj' 1 and Q 3 is because 
they are easily computed and provide a simple non-trivial 
expression for the improvement given by a single load 
measurement Zj. The point is that if a more complicated 
estimate is constructed, such as L*j or Uj ' N , their accuracy 
will be at least as good as indicated by Kj in ( 1 1 Oi l. This will 
prove useful in the next section where some insights related 
to the trade-off between privacy and estimation quality are 
obtained. 


























V. Trade-off: Estimation Performance vs. 
Privacy Loss 


i 


rjj = 0.001 


A customer in the Smart Meter Scenario has (e+eo, Soe e )- 
differential privacy, following Theorem Q] The customer can 
increase his or her privacy by increasing the smart meter 
noise level Rj, but this comes at the expense of the state 
estimation performance. In this section, we investigate this 
trade-off a bit closer, and in particular identify situations 
where only a minor loss of privacy can lead to a large 
improvement in the state estimate. 

We start by introducing the dimensionless quantities 

A 2 P 

h ' ‘ /'o • /-’o' 

The variable rjj normalizes the customer’s variability with 
the total load variability at location j. Hence, it is a measure 
of how large player the customer is in comparison with 
other loads at location j. The variable Q measures how 
large the total load variability at location j is in comparison 
with the overall current variability in the distribution line. 
Thus if both rjj and Q are small, it means the customer is a 
relatively small player at location j, and location j is overall 
responsible for only a small part of the variability on the 
line. 

In the following, we for simplicity assume that the loads 
are uncorrelated, i.e., that Pj = Pjj. We use that the variance 
of the Laplacian measurement noise added to Lj is 


2^ 2 _ ^rijPjj 


We can now express the relative improvement of the state 
estimate as (see ©-CE3) 


Kj = 


{Ro + P 0 )Pjj - P 2 
( R 0 + P 0 )(P jj+Rj )-Pf 


-1 I RjjRo+Po) 
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( 11 ) 


where the last approximation holds for small e. The total 
differential privacy for the customer is (e+eo, <0e e ) and e is a 
measure of how much extra privacy the customer at location 
j gives up by sharing his or her load measurement. The 
customer’s differential privacy can be no better than (eo, So), 
and using Lemma |T| this lower bound is 
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2 
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A 2 K 2 
Ro 


^ 0 + 10 ■ 


( 12 ) 


Not surprisingly, small rjj and Q assure a high level of 
privacy to the customer in the Base Scenario because his 
or her actions are barely noticeable in Z$. 

In Ligs. |3 and [3 we plot the lower bound on relative 
improvement £TQ> as a function of the total loss of privacy, 
for fixed Q and rjj, respectively. The values of rjj and Q are 
chosen to give comparable values for the lower bounds eo 
(indicated by circles in Ligs. [3 and [3} ■ It is interesting to see 
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Fig. 2. Lower bound on the relative improvement of the state estimate 
in the Smart Meter Scenario (Kj), as a function of total loss of customer 
privacy, when Po = 1, Ro = 0.05, 5o = 0.05, Q = 0.1, and varying 
customer variability rjj. It is seen that the curvature dramatically increases 
for customers who have a high level of privacy in the Base Scenario (small 
eo)- 



Fig. 3. Lower bound on the relative improvement of the state estimate 
in the Smart Meter Scenario (Kj), as a function of total loss of customer 
privacy, when Po = 1, Ro = 0.05, 6o = 0.05, rjj = 0.01, and varying 
load variability £j . It is seen that the curvature increases for customers who 
have a higher level of privacy in the Base Scenario (small eo). 


that the improvement curves increase faster for small values 
of e 0 , especially as the customer’s variability rjj decreases. 
This is also clearly seen in the quadratic approximation (fTTb . 
whose curvature is (1 — Q)/{2rjj). Combining (fill and (IT3 >. 
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we also directly see that a small eo increases the curvature. 
(The quadratic approximations are indicated by dashed lines 
in Ligs. |3 and | 3 ) The importance of this observation is that 
a customer who enjoys a high level of differential privacy 
in the Base Scenario can dramatically improve the state 
estimation performance by only giving up a little bit extra of 
















privacy. For example, in Fig. [3 we see that if a customer is 
willing to increase eo + e from 0.25 to 0.35 when rjj = 0.01, 
there is at least around 30% improvement in estimation 
quality. On the other hand, the smart meter measurements 
of a customer who already has a low level of privacy in 
the Base Scenario are of much lower value. The reason is 
that such customers are already possible to estimate quite 
accurately using the measurement Zq alone. 

VI. Conclusion 

We have proposed a modeling framework to analyze the 
differential privacy for customers equipped with smart meters 
in a radial distribution power grid. Several different state 
estimation schemes were proposed, and an interesting trade¬ 
off between the utility for the operator and the loss of 
privacy for the customer was identified. The analysis revealed 
that aggregated measurements from small customers can 
significantly improve the operator’s state estimate at a small 
loss of privacy. 

It should be noted that in the current framework it is 
not possible for the customer to influence the baseline 
(eo, <^o)-differential privacy. This would be possible if the 
customer has access to a local controllable energy storage, 
see [17], for example. Open problems for future research 
also include more detailed modeling of the distribution grid 
and quantification of the accuracy of the MAP estimate. 
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